WPA2, KRACK, WTF? a basic, basic summary

The following started as notes to myself in preparation for talking about the KRACK weakness in the WPA2. It is far from comprehensive (I wrote it to be about as basic as I could), but could be helpful in understanding the basics of what is going on with it and why you should be concerned, but you shouldn’t freak out. My biggest take away from this is that we need to do a better job in how we talk to people about digital security and how imperfect the landscape is. More important than understanding one specific vulnerability is helping nontechnical people develop a framework for understanding how security research works and what steps they can take to start understanding the devices and infrastructure that they use.

 Wait, What?
In July, Mathy Vanhoef, an academic security researcher in Belgium, discovered a problem with the most common way to set up a password protected wifi network (WPA2). At first Vanhoef contacted the manufacturers of the devices where he initially discovered this. Then, he realized that there is a much larger problem and contact CERT/CC, an organization funded by the US government that works on digital security and sometimes helps researchers with vulnerability disclosures. Vanhoef is presenting his research soon at a couple different conferences, so a preliminary version of his paper has recently been made available. While the initial attack only affects some devices, all platforms are vulnerable to at least one variation of the attack found by Vanhoef.

This is group of vulnerabilities is being called KRACK, standing for Key Reinstallation AttaCK.

How WPA2 and this attack work
When your device connects to a wifi router, there’s a back and forth between the two before you can connect to the internet. WPA2 uses a 4-part handshake to make sure that you are connecting to the wifi you think you are connecting to. What Vanhoef found was that if someone pretends to be the wifi router you want to connect to, if the impostor router sends that request again at step three, the device will resend the requested information and the imposter router will be able to to figure out the shared secret key between the router and the device, allowing the attacker continuing impersonating the router and to decrypt the data sent between the router and the device. More recently, similar attacks have been successful at other points of negotiation between your device and a router, like when you move from one router to another on the same wifi network. The core problems come from the ability to make the routers reuse keys.

Accessing your data there would let the attacker see your internet traffic and they may be able to get your device to switch from HTTPS to HTTP, which would mean that they could see the content that you were accessing or sending, including passwords. The problem with WPA2 means that HTTPS is even more important right now.

Why this matters to individuals
We rely on WPA2 to secure much of our internet traffic. We send all sorts of sensitive data over wifi, like passwords, financial data, and health information. We rely on the internet for many things every day and we need to be able to trust this important infrastructure with not only more traditional kinds of sensitive information, but also our most personal communications and private questions.

The KRACK vulnerability requires a targeted attack. Unlike a lot of security issues, anyone attacking you would have to be within wifi distance (generally 90 meters or less). Most people are probably ok, but this can be a serious problem for people with higher levels of risk, such as activists, journalists, human rights defenders, and domestic violence survivors; as well as for networks with higher security needs, like those connected to health and finance.

What you can do about it
The main thing that you can do is install updates on your wifi router firmware and all of the devices that you use to connect to wifi. You will be protected as long as your device is patched, even if the wifi router hasn’t been. Because the main issues with someone having this kind of access is tricking your device into using HTTP instead of HTTPS or content injection (where an attacker makes it look like content is coming from a website, but it isn’t),you can also install the HTTPS Everywhere browser extension and remember to check for the little green lock to the left of the website address.

Windows has already put out a patch. Apple is about to release theirs (currently in beta release and waiting to make sure that it doesn’t contain bugs). Several of the Linux distros have addressed this. The Android update is scheduled for 5 November, but it is unclear when individual phones will actually receive the patch because updates have to go through the phone manufacturers, instead of directly to end users.

VPNs also offer protection, but when you use a VPN, you are trusting the VPN provider with all of that information about your internet traffic.

This isn’t something you can fix by changing your wifi router or network password, but it is always a good idea to use strong, unique passwords instead of the defaults. Diceware passphrases are particularly good for this.

How problems like this are discovered and addressed
There are thousands and thousands of security researchers, some academic, some professional, some in their free time, who poke around at the internet and related technologies to understand better how they work and to find problems so that they can be fixed. Many companies have programs specifically set up to handle security vulnerability reports, which are sometimes called “bug bounties.” When a problem with an individual device of application is discovered, the researcher will generally contact the company directly and report the problem. With something so overarching, like KRACK, the researcher may ask an organization like CERT/CC to assist in the process of figuring out how to responsibility disclose the security problem.

In both cases, once the researcher has told affected parties about the issue, there’s generally a certain amount of time where the problem is kept secret so that a patch can be put in place. After that chunk of time, the researcher may announce the issue even if the patch is not yet in place. This is partially because otherwise companies might not feel the need to work quickly on the patch and because other people could also discover the issues, so staying quiet doesn’t necessarily keep the general public safe.

The bigger picture
A lot of the time, we accept the technology around us without really thinking about what it is or how it works. When we don’t understand what we are using, it’s very hard to know what kinds of risks we are taking or what decisions we are actually making. Wifi Routers aren’t magic. They are tiny computers with radios attached. In the current state of consumer electronics, we don’t necessarily know if the devices we are using are getting security updates and it can be very hard to tell. That means it is really hard to push for better options as an end user. We are increasing understanding just how important router security is and the lack of understanding of it and the relative lack of firmware updates for routers will be an increasing problem as more and more devices connect to the internet wirelessly.

Links links links!
Site explaining the research, from Vanhoef: https://www.krackattacks.com

HTTPS Everywhere: https://www.eff.org/https-everywhere

Information about diceware passphrases: https://www.eff.org/dice

Refresh on HTTPS: https://www.eff.org/pages/tor-and-https

The paper: http://papers.mathyvanhoef.com/ccs2017.pdf

Vulnerability notes database for KRACK (to check if a particular device is affected): https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

Very early Ars Technica article on KRACK: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

And a comic for all of us who are so over waiting for critical firmware updates: http://www.commitstrip.com/en/2017/10/16/wpa2-vulnerability-just-a-small-update

When Activism Goes Online: Anonymous, Hacktivism and the Law Lecture at NYLS

A couple weeks ago I went to a “When Activism Goes Online: Anonymous, Hacktivism and the Law” at New York Law School, co-sponsored by the Institute for Information Law and Policy, National Lawyers Guild- National Office, and Students for Free Culture. The panelists were Kenneth Citarella, an adjunct professor at NYLS and former prosecutor who specialized in computer crimes starting in the 1980’s, Abi Hassen, Mass Defense Coordinator with the National Lawyers Guild, and Grainne O’Neill, a defense attorney specializing in the intersection of law and technology.

Citarella talked a little bit about his experience as a prosecutor of computer crimes very early on. One of his main points is that he strongly dislikes the word hacker, specifically because he doesn’t feel like he known what it means. Later on in the evening he emphasizes the difference between in person actions and actions mediated by technology, without clarifying exactly how. Mainly, I think that he served as a prosecution-side counter point to the other speakers. The most interesting thing for me was hearing how generally conservative he is in his interpretation and squaring that against his early involvement in the Electronic Frontier Foundation, which serves as a good reminder that civil liberties is an area where many people can find common ground.

O’Neill started by talking about the Computer Fraud and Abuse Act (CFAA) of 1984. The CFAA was conceived of and passed in a time before the internet as we know it- both socially and technologically- and was passed to specifically protect financial institutions, the government, and interstate commerce. For purposes of the CFAA, “unauthorized access” is defined by the computer or website’s Terms of Service (TOS), violations of which would otherwise be only a matter of contract law, not criminal law. In effect, CFAA empowered private companies to dictate criminal law through their TOS. The CFAA’s definition of damages sets a low standard.

After covering the basics of what the CFAA, O’Neill compared the penalties for online behaviors to their closest offline equivalents. She placed a DDOS (distributed denial of service) attack as similar to a picket, since both are intended to provide visibility to the activists’ displeasure with the target. Theft of a cheap laptop in a coffee shop that contained sensitive information might be punishable by a year in jail, but accessing the same information via an unsecured wi-fi network would get up to 10 years in prison under the CFAA, and in that senario, the victim hasn’t lost use of anything. Even assuming that that the laptop is more expensive and taken from a home, burglary in New York has a maximum sentence of 7 years, which is still less than allowed for remote entry under the CFAA, and involves someone physically entering one’s home. After going over the potential disparate treatment of crimes based on the involvement of hacking or not, O’Neill reiterated that many online crimes are criminalized under non-online specific legislation and that we should look to our rich history of jurisprudence in seeking to address

Hassan put together a PowerPoint presentation which he titled “The Fifth Estate: Information Activism in the Age of Secrecy,” drawing on the idea that hackers and information activists (including whistleblowers) may work for the public good, as a watch dog, much as the press, or forth estate, has. An example of this he gave was Hamed Al-Khabaz, a Canadian student who was expelled from Dawson College after finding and reporting a major security flaw in his university’s storage of student information.  He also emphasized the role of “lulz,” vaguely defined as humor or mischievous satisfaction, in hacking. His example of this was Guccifer’s release of George W. Bush’s remarkably bad self-portrait while showering.

Hassan’s presentation included a couple of really great quotations on related topics from Bloomberg and Thomas Jefferson. He showed graphs from Google and Microsoft of requests for user information from governmental agencies and emphasized the contradiction of increased government and corporate secrecy with the decrease of personal privacy and increase of individual surveillance at the same time. He also gave a great run-down of current major hacking cases in the United States:

And of whistleblower cases:

The best part of the lecture was the question and answer session after the structured presentation. I didn’t take great notes on that part, and since the lecture was back on April 3rd, my memory is not good enough to flesh out the discussion. Highlights included: Citarella arguing that federal sentencing guidelines are frequently too ridgid and pointing out that in the case of Matthew Keys we should strongly consider the difference between what the end result of his giving out passwords was with what it could have been in understanding it’s treatment in the courts; Hassan building on his early talk of current cases and mentioning that 95% of cases end in pleas, largely because of the power that prosecutors have in their discretion regarding charges and requests; and O’Neill stating that the freedom to assemble is really the freedom to assemble anonymously and that it is the anonymity is key to the power of the freedom to assemble. Other items of discussion including emergent 4th and 5th Amendment issues as well an time-place-manner restrictions on in-person protests and how that translates into online activism.

Book Review: Epic Win for Anonymous

One of my favorite things about living in New York City is making use of the local libraries. The networking and proximity of libraries gives uses access to an entire borough worth of books to pick up and drop off at a local branch. It’s like interlibrary loan, but integrated in to standard library use. I recently made use of this by getting to pick up a copy of Cole Stryker’s Epic Win for Anonymous: an Online Army Conquers the Media, published by Overlook Press.

Epic Win for Anonymous covers the rise of Anonymous (big-A) and the history of anonymous (little-a) in internet culture. When I sat down to write this review, I noticed that the subtitle on the cover is an Online Army Conquers the Media, but inside the book, the subtitle is How 4chan’s Army Conquered the Web, a far more accurate description of it’s content. This is apparently only true for the paperback version. The hardcover appears to reference 4chan throughout. This difference and the publisher’s perceived need to change the title echoes what I feel public conceptions frequently miss when attempting to understand what has come to be known as “internet culture.”

My take on the book is that Stryker does come from this culture and is a good guide. He’s attempting to contextualize a weird, self-selecting youth culture (though participants do range in age). It lays out the social context of sites like 4chan, SomethingAwful, and Rotten; as well as Usenet, WELL (Whole Earth ‘Lectronic Link), and BBS, which came the generations before. He does a good job explaining the user experiences and information flows in the different communities and what that means for the culture that is fostered the different environments. He also looks at the roll of external factors in shaping internal community dynamics.

Chapters 1 (Memes: Shared Nuggets of Cultural Currency), 6 (The Meme Industry), and 7 (The Meme Life Cycle) present a coherent summary of the phenomenon of internet memes and their place in human history as a constant tendency lit up by the enabling hand of new technologies. With this, and the rest of the book, Stryker balances descriptions of individual incidents or memes with explanations of broad processes. He succeeds in using details to illuminate without bogging down. It helps that large parts of what he covers are, well, for the lulz.

This book features an impressive 11-page bibliography. I plan on making a photocopy for future reading list reference. It alone would have made this book worthwhile. I’m looking forward to reading Stryker’s second book, Hacking the Future: Privacy, Identity, and Anonymity on the Web. I don’t think that I liked this book as much as I have liked what Biella Coleman has said on similar topics, though I think it’s important to recognize that Sryker’s book has mostly avoided academic terminology and is more approachable without the background knowledge that Coleman’s require for full understanding. Epic Win is epic win as a first look beyond news stories on the deep background of Anonymous, including AnonOps and LulzSec, and why that background is important for making sense of current discussions on the future of internet communication, especially when it comes to identities, communities, security, fear, and privacy.

See also: